Chapter 1 Security Framework

14
Security Framework Predict Preempt Protect Karthikeyan Dhayalan

Transcript of Chapter 1 Security Framework

Page 1: Chapter 1   Security Framework

Security Framework

Predict – Preempt – Protect

Karthikeyan Dhayalan

Page 2: Chapter 1   Security Framework

Definitions• Framework

• Provide guidance on how to build Individual architectures that will be useful to a diverse set of individuals

• Architecture• Conceptual Construct• Tool to help individuals understand complex items• It expresses enterprise structure (form) and behaviour (function)

• Security Program• It is a framework made of many entities working together to provide a

protection level for an environment• A security program should work in layers• Security via obscurity is not a healthy protective mechanism

Page 3: Chapter 1   Security Framework

ISO27000 Security Program• Outlines how an information security management system should be

built and maintained• Provides guidance to design, implement and maintain policies,

procedures, and technologies to manage risks to the sensitive information assets of an organization

• Its based on PDCA model• Some key ISO27000 standards

• ISO27001 – ISMS requirements• ISO27002 – Code of practice for ISMS• ISO27005 – Risk Management• ISO27031 – Business continuity

Page 4: Chapter 1   Security Framework

Enterprise Architecture

• Two important key aspects of an Enterprise Architecture

• Identifying the stakeholders

• people who will be looking at it and using it

• Developing Views

• How the information that is most important to different stake holders will be

illustrated in the most useful manner

• Architecture allows not only to understand the business from different views, but

also understand how a change takes place at one level will affect items at all other

levels

Keep building a House as a reference when understanding this

Page 5: Chapter 1   Security Framework

Zachman Architecture Framework

• First architecture Framework

• This is not a security oriented

framework

• Uses six basic communication

interrogatives intersecting with

different perspectives

• Important rule is that each row should

describe the enterprise in its entirety

from that rows’ perspective

Page 6: Chapter 1   Security Framework

The Open Group Architecture (TOGAF)

• Has its origins from US DoD• Provides an approach to design, implement, and

govern an enterprise Information architecture• Used to develop the following architecture types

• Business Architecture• Data Architecture• Applications Architecture• Technology Architecture

• Uses Architecture Development Method to create Individual architectures

• ADM is an iterative and cyclic process that allows requirements to be continuously reviewed and updated

Page 7: Chapter 1   Security Framework

Enterprise Security Architecture

• Subset of Enterprise Architecture• Defines information security strategy that consists of layers of

solutions, process, and procedures• It ensures that security efforts align with business practices in a

standardized and cost-effective manner• For a successful ESA the following must be understood and followed

• Strategic alignment• Business enablement• Process enhancement• Security effectiveness

Page 8: Chapter 1   Security Framework

Strategic Alignment

• Business drivers and legal/regulatory requirements must be met by the Security architecture

Business Enablement

• Core business processes are integrated into the security operating model

Process Enhancement

• Security enterprise components must be integrated into the business processes to be effective

Security Effectiveness

• Metrics, meeting SLA, achieving ROI, meeting set baselines, providing management dashboards

We can do new stuff We can do stuff better

Page 9: Chapter 1   Security Framework

COBIT

• It’s a model for IT Governance• Is a framework for governance and management developed by ISACA• It’s a holistic approach based on 5 key principles

• Meeting stakeholder needs• Covering the enterprise end to end• Applying a single integrated framework• Enabling a holistic approach• Separating governance from management

• Its ultimately linked to the stakeholders• It deals at the operational level• It specifies 17 enterprise and 17 IT specific goals• Majority of security compliance audit practices are based on COBIT

Page 10: Chapter 1   Security Framework

NIST 800-53

• Developed by NIST • Outlines the controls that (US) agencies need to put into place to be

compliant with the FISMA Act• There are many control categories addressed by this• They are management, operational, technical controls prescribed for

an information system to protect CIA• As COBIT is for Private compliance needs, NIST is for US Government

compliance needs

Page 11: Chapter 1   Security Framework

COSO Internal Control

• It is a model for corporate governance

• It deals at the strategic level

• It was formed to provide sponsorship for an organization that studied

deceptive financial reports and what elements lead to them

• SOX is derived from COSO

Page 12: Chapter 1   Security Framework

ITIL

• De facto standard on best practices for IT service management

• Customizable framework

• It provides the goals, the general activities necessary to achieve the

goals, and the input/output values for each process required to meet

the goals

• It focuses more towards internal SLA between the IT department and

the customer it serves (predominantly Internal functions)

Page 13: Chapter 1   Security Framework

Six Sigma / CMMI

• It is a process improvement methodology

• Six sigma – improves process by using statistical methods of

measuring operational efficiency and reducing variations, defects

and waste.

• CMMI – develop structured steps that can be followed for an

organization can evolve from one level to the next and constantly

improve its processes and security posture.

Page 14: Chapter 1   Security Framework

Karthikeyan Dhayalan